Data Theft and Identity Fraud

Mark D. RsachJune 18, 2008

Definitions

• Identity theft: The unauthorized collection, possession, transfer, replication or other manipulation of another person’s personal information for the purpose of committing fraud or other crimes that involve the use of a false identity.

• Identity fraud: the gaining of money, goods, services, other benefits, or the avoidance of obligations, through the use of a false identity.

Identity Theft 2004-2005

 

9.3M - 8.9 Million Adult AmericansTotal Losses $5.44 – $5.66 BillionAverage Losses $5,885 - $6,383Median fraud amount per fraud victim $750 - $750Average consumer cost $675 - $422Average resolution time 28 hours - 40 hoursMedian resolution time 5 hours - 5 hours68.2% Paper-based Theft 11.6% Computer Crime50% Family Members, Friends, and Neighbors28.8% Lost or Stolen Wallets and Checkbooks 

Facts You Didn't Know Related to Identity Fraud

It takes 467 days to discover that you are a victim of identity fraud (Experian).

79 percent of businesses make no effort to destroy sensitive material that is thrown away or being prepared for recycling.

40 percent of businesses risk their clients identities by throwing away information on their customers which includes home addresses, phone numbers and photocopies of passports - all of which can be used by a criminal to steal a persons identity (survey commissioned by Fellowes).

Current address (or present address fraud) accounted for almost half of all identity fraud cases reported to Experian in the second half of 2006.

Most Useful Info

• ID documents/numbers – SIN, health, drivers license, passport, birth cert.– employee, student, member• Account numbers/details – Bank, credit card, mortgage, phone, etc.• Credit reports• Home address• Date of birth• Passwords, PINs• Employment details• Biometric information

Techniques of ID Theft

• taking/stealing from individuals:– finders keepers: trash, used computer equip, lost wallet– theft of wallet, checkbook, credit card, mail – pretexting by phone or in person – scams: employment, surveys, contests….– phishing, vishing, pharming, whaline– skimming - via ATMs, hidden machines– wireless eavesdropping– malware: keystroke loggers, etc

Techniques of ID Theft

• taking from public sources:– personal websites, social networking sites– online resumes– employer/association websites– online public records (eg, court/tribunal)– post-disaster missing person sites– obituaries– used vehicle info package (Ont.)• owner’s name/address used to get copy of ownership permit

Techniques of ID Theft

• taking/stealing from organizations:– dumpster diving– used computer equipment– corrupt employees – pretexting (duped employees)• purchase/subscribe (e.g., credit reports)– hacking– taking advantage of security holes

Phishing Statistics – Victim Attempts

http://www.marshal.com/TRACE/phishing_statistics.asp

Week ending 20 April, 2008

Phishing Sources by Country

Phishing Sources by Continent

Phishing Percentage over Time

Intermediate Stages

• ID data trafficking– buy and sell personal information • ID document “breeding”– create counterfeit documents– apply for new documents, ID numbers (forgery)• Submit change of address to post office– divert victim’s mail

Purpose: ID Fraud

• use credit card, phone credit• withdraw from bank account • open new accounts (bank, utility, phone…)• obtain loans• mortgage/sell property (mortgage/title fraud)• steal cars; order goods online using drop-site• get insurance or government benefits• get employment/hide criminal record• create cover for other criminals/terrorists

Control Points

• Individuals:– limited control / ability to assess risk• Organizations:– Service providers• Online services, electronic banking, magnetic stripe cards, wireless communications, …– Software/hardware vendors/manufacturers– Data holders– Public records– Social networking sites

Market Responses

• Stronger authentication mechanisms– more passwords, two factor authentication– Credit card security code– Smart cards– Digital IDs; “information cards” – Biometrics• New detection tools– ID Alarm– Better account monitoring/pattern recognition• Industry standards– Financial transactions (Interac, etc.)

Criminal Law

• Existing ID Theft/Fraud crimes– fraud, forgery, personation, computer misuse– mere possession is not a crime; no deprivation• Possible new ID Theft crimes– possession of [multiple] ID with intent to defraud• remove deprivation requirement• rebuttable presumption of intent (multiple ID, spec.data)– fraudulently obtaining personal info (Bill C-299)– trafficking in ID info/cards recklessly or knowingly– breach of trust (employee theft)– fraudulently redirecting mail

EU Convention on Cybercrime

Adopted in 11/2001, in force since 7/200443 signatory states, 22 already ratified including theU.S.The Convention on Cybercrime (CCC)harmonizes domestic criminal substantive lawprovides investigation authorities with certain powerssets a system of international cooperationInfluence on other legislative effortsEU Council Framework Decision 2005/222/JHA on attacks against information systems

Phishing and the CCC

Computer related fraud (Art. 8):“causing a loss of property to another person by: a) any input, alteration, deletion or suppression of computer

data; b) any interference with functioning of a computer system, with

fraudulent and dishonest intent of procuring, without right, an economic benefit for oneself or for another person“

According to the Explanatory Report to the CCC, this criminal offence aims at “manipulation in the course of data processing with the intention to effect an illegal transfer of property.”

Misleading internet users to disclose their private data

Pharming and the CCC

Computer related fraud (Art. 8) committed by way of “interfering with the functioning of a computer system“

Illegal Access (Art. 2)accessing on-line bank accounts

Infringement of copyright and related rights(Art. 10)creating bogus websites that resemble the original ones

Identity Theft and Assumption Deterrence Act

18 U.S.C. §1028 Makes identity theft a crime. October 1998  Punishes whoever:“knowingly transfers or uses, without lawful authority, a means

of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.”  

Name or SSN is considered a “means of identification.” So is a credit card number, cellular telephone electronic serial number or any other piece of information that may be used alone or in conjunction with other information to identify a specific individual.

CautionBeware of unintended consequences…

– shouldn’t criminalize socially accepted uses of alternative identities• pseudonyms (eg, online privacy protection)• kids’ use of adult ID to get cigarettes or booze• investigative journalism/public interest research– mere possession is not enough• eroding the presumption of innocence– how much uncaptured crime = acceptable cost of protecting innocent individuals from prosecution?– “knowingly and with intent to defraud…”

FACTA RED FLAG

Red Flag Rules

Go into effect November 1, 2008, The regulations apply to banks -- but also apply to any

financial institution or creditor that holds a covered transaction account -

FACTA Red Flag Rules

any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, must develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts.

The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:• Identify relevant patterns, practices, and specific forms of activity

that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;

• Detect red flags that have been incorporated into the Program;• Respond appropriately to any red flags that are detected to

prevent and mitigate identity theft; and• Ensure the Program is updated periodically to reflect changes in

risks from identity theft.

Purposes of Red Flag Rule

In adopting FACTA Sections 114 and 315, Congress recognized that lax business practices played a significant role in aiding identity thieves. Prior law included• Customer Identification Program rule adopted under

section 326 of the USA PATRIOT Act, 31 USC 5318(l), (CIP rule) adopted as a counter-terrorism measure; and

• (2) the information security guidelines adopted under the Gramm-Leach-Bliley Act, 15 USC 6801, (GLB)

Report to Board of Directors and/or Senior Management

Plan requires approval and reporting to the board of directors or “senior management.” [71 Fed Reg 40789] However, the principle that a

Senior management level employee is responsible for the Program is not included for organizations without a board of directors. Instead of “designated employee,” the Agencies should specify that, absent a board of directors, a senior manager is charged with overseeing the Program.

Covered Entities

The rules apply to any financial institution or creditor that holds a covered account.

A financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a "transaction account" belonging to a consumer.

Definitions

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft - for example, small business or sole proprietorship accounts.

Identity Theft Prevention Program

each financial institution and creditor that holds any "covered account" to develop and implement an Identity Theft Prevention Program designed to prevent, detect, and mitigate identity theft in connection with new and existing accounts.

issuers of credit and debit cards to develop policies and procedures to assess the validity of an address change request when that request is followed closely by a request for an additional or replacement card.

users of consumer credit reports to develop policies and procedures to respond to notices from credit reporting agencies regarding address discrepancies.

Requirements

Written Identity Theft Prevention Program ("Program") to prevent, detect, and mitigate identity theft in connection with certain covered

accounts. The programs must be uniquely tailored to a covered entity's

size, complexity, and nature of operations.

Four Essential Features

Identify and incorporate relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft. • vary depending on the nature of the business in question, • based on the guidance provided by regulators and the covered entity's

own experiences. Detect red flags that have been incorporated into the entity's Program.

• obtaining identifying information about, and verifying the identity of, a person opening an account, and, in the case of existing accounts, authenticating customers,

• monitoring transactions, verifying the validity of address change requests.Respond appropriately to any red flags that are detected,

• monitoring an account for evidence of identity theft, • contacting the customer, • calling law enforcement, • changing any password or security device that permits account access, • closing an account, etc.

 Update ID theft program periodically to reflect changes in risks to customers from identity theft, or to the safety and soundness of the covered entity.

What You Should Do

Look for patterns, practices, and activities that indicate  possible risk of identity theft.

Evaluate the list (which is not exhaustive) and include in its Program those red flags that are appropriate to its business. • Alerts, notifications, or other warnings received from consumer reporting

agencies or service providers, such as fraud detection services;• The presentation of suspicious documents;• The presentation of suspicious personal identifying information, such as a

suspicious address change or a social security number listed in the Social Security Administration's Death Master File;

• The unusual use of, or other suspicious activity related to, a covered account; and

• Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.

Other Requirements

Program must be in WRITINGObtain approval of the initial written Program by the Board of

Directors or a committee of the Board;Involve the Board of Directors, a committee of the Board, or

senior management in the development, implementation, and administration of the Program;

Report, at least annually, to the Board of Directors, a committee of the Board, or senior management, on compliance with the red flag regulations;

Train staff to implement the Program effectively; andExercise appropriate and effective oversight of arrangements

with third-party and affiliated service providers

Organizations

• limit collection/retention of personal information• don’t create or contribute to data warehouses• control (minimize?) outsourcing• minimize disclosures of personal information– eg., credit card receipts• security safeguards– computer firewalls, access controls– trash: shredding docs, cleaning used computer equip.– validation, authentication of customers• employee screening, training, monitoring• warnings; notice to potential victims

Privacy is DeadNow What?

Mark D. RaschManaging Director -

TechnologyFTI Consulting

Privacy Generally

No General Legal Protections for PrivacyHodgepodge of Federal and State LawsDeal With Particular Subject MattersConstitutional implied or penumbra rights

• Fourth Amendment Search and Seizure• Fifth Amendment Self Incrimination• Ninth Amendment – delegation• Griswald v. Conn., Doe reproductive rights cases• “right to be left alone”

What do we MEAN by Privacy?

Right to be left aloneRight to integrity of personRight to CONTROL of data collectedBUTWho OWNS the data about us?Who has a right to access?What circumstances?

Threats to Privacy

Data Collection• Voluntary collection• Compelled collection• “Ambient” information• “Public” information• Surveillance

Data DisseminationData non-anonymizationData AggregationSubject profiling

Federal Privacy Laws

Privacy Act (1974) Federal Trade Commission Act (1914) Fair Credit Reporting Act (1970) Family Educational Rights and Privacy Act, Public Law 93-380, 1974 Cable Communications Policy Act (1984) Cable Privacy Protection Act of 1984 Electronic Communications Privacy Act (1986) Title III Wiretap Provisions

Computer Matching and Privacy Protection Act (1988) Tax Reform Act of 1976, The Right to Financial Privacy Act of 1978 Video Privacy Protection Act (1988) Telephone Consumer Protection Act (1991) Drivers Privacy Protection Act, PL 103-322, 1994 "Children's Online Privacy Protection Act" (1998) HIPPA (1996)GLBA (2000)

Data Collection

Website collection• EU Data Privacy Laws• US “Safe Harbor” Provisions• FTC Section 5 “false and deceptive trade practices”

• Lilly Case• Do what you say – say what you do• Google Doubleclick – finalized March 10, 2008

• Privacy policies

Who owns collected data?

Data Subject?Data Collector?Sale of Data?Data Sharing?Profiling?Mining?

Anonymity

Anonymous speechPostingsBloggingTakedown noticesCopyright infringementP2PDefamation?As a general rule – anonymity loses

Amendments to Regulation S-P

GRAMM-LEACH-BLILEY ACT

● Financial Services Modernization Act of 1999● FTC implementation

- Privacy Rule in 2000 – Higher education is exempt if compliant with FERPA- Safeguards Rule in 2002 – applies to “financial Institutions” including higher education - Information Security Programs were required beginning May 23, 2003

SAFEGUARDS RULE(16 CFR PT. 314)

Requires development, implementation, and maintenance of “a comprehensive information security program” containing “administrative, technical, and physical safeguards that are appropriate” for the size, complexity, nature and scope of your activities, and the sensitivity of the protected information.

Elements

- Designation of an employee or employees to coordinate the information security program.

- Employee training and management;- Risk Assessment, including focus on:

▪ Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and

▪ Detecting, preventing and responding to attacks, intrusions, or other systems failures.

- Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.

- Oversee service providers, by:▪ Taking reasonable steps to select and retain service providers that

are capable of maintaining appropriate safeguards for the customer information at issue; and

▪ Requiring your service providers by contract to implement and maintain such safeguards.

- Periodic Evaluations and Adjustments of information security program to account for any material changes to your operations or business arrangements or any other circumstances that you know or have reason to know may have a material impact on your information security program.

DATA BREACH NOTFICATION LAWS

Data Breach Notification

Vary from State to StateDiffering definitions of Personally Identifiable InformationVary on HOW to reportWhat to reportWhen to reportTo WHOM to reportWhat to do BESIDES reportWho has the obligation to report

FACTA and Disposal Rules

FACTA – what credit card information you can collect/printDisposal rule – 16 CFR Part 182

Part of duty to protect personal informationCredit informationSocial Security InformationRelated Financial Information

LEGAL LIABILITY- CASE LAW

● Case law/experts suggest an emerging duty to providedata security– Kahle v. Litton (May 16, 2007): court recognized that the defendant mortgage company owed a duty to safeguard the plaintiff mortgagee’s data– Bell v. Michigan Council (February 15, 2005): court recognized a fiduciary duty to safeguard PII between a union and its members– Corbell v. Norton (December 3, 2004): D.C. Court of Appeals cites Interior’s obligation ‘as a fiduciary’ to maintain and preserve information– Daly v. Met Life (May 20, 2004): NYS court found a fiduciary duty requiring insurer to protect insured’s personal information

Superior Mortgage

September 28, 2005 FTC’s Safeguards Rule, enacted under the Gramm-Leach-Bliley

Act, requires financial institutions to implement reasonable policies and procedures to ensure the security and confidentiality of sensitive customer information.

Superior maintained customers’ Social Security numbers, credit histories, and credit card numbers, among other sensitive information.

GLBA Regulations S-P

GLBA and Regulation S-P require brokers, dealers, investment advisers registered with the SEC, and investment companies to

• provide an annual notice of their privacy policies and practices to their customers (and notice to consumers before sharing their nonpublic personal information with nonaffiliated third parties outside certain exceptions). 15 U.S.C. 6803(a); 17 CFR 248.4; 17 CFR 248.5.

• describe the institutions’ policies and practices with respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties. 15 U.S.C. 6803; 17 CFR 248.6.

• provide a consumer a reasonable opportunity to direct the institution generally not to share nonpublic personal information about the consumer (that is, to “opt out”) with nonaffiliated third parties. 15 U.S.C.6802(b); 17 CFR 248.7.

• where applicable under the FCRA, a notice and an opportunity for a consumer to opt out of certain information sharing among affiliates.) Sections 13, 14, and 15 of Regulation S-P (17 CFR 248.13, 17 CFR 248.14,and 17 CFR 248.15) set out exceptions from these general notice and opt out requirements under GLBA.

• Exceptions for sharing information with other financial institutions under joint marketing agreements and with certain service providers.

• Exceptions for sharing information for everyday business purposes, such as maintaining or servicing accounts.

Amendments to Reg S-P

On March 4, 2008, the Securities and Exchange Commission announced proposed changes to Regulation to address identity theft of securities industry customers.

Reg S-P was adopted seven years ago under the Gramm-Leach- Bliley Act (“GLBA”) and the Fair Credit Reporting Act,

Requires financial institutions under the authority of the SEC (including investment advisers, mutual funds, broker-dealers and SEC-registered transfer agents) to adopt policies and procedures to protect client information.

Disposal rule and FACTA require secure disposal of personal information.The two requirements of Reg S-P relating to safeguarding and disposal

of confidential information have not kept pace with bank and other regulators’ detailed programs for information privacy and data security.

More Specific Requirements

More specific standards under the safeguards rule of Reg S-P, including physical, technical and administrative safeguards, written policies and required responses to data security breach incidents.• require the financial institution to develop and execute a more

detailed “information security program” similar to programs required by other federal regulators.

• be in writing • designate an employee in charge of information security,• identify anticipated threats and implement controls to address

those threats. • require staff training, • regular testing• coordination with service providers to maintain the program’s

effectiveness.

Requirements

(i) designate in writing an employee or employees to coordinate the information security program;

(ii) identify in writing reasonably foreseeable security risks that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of personal information or personal information systems;

(iii) design and document in writing and implement information safeguards to control the identified risks;

(iv) regularly test or otherwise monitor and document in writing the effectiveness of the safeguards’ key controls, systems, and procedures, including the effectiveness of access controls on personal information systems, controls to detect, prevent and respond to attacks, or intrusions by unauthorized persons, and employee training and supervision;

(v) train staff to implement the information security program;(vi) oversee service providers by taking reasonable steps to select and retain service

providers capable of maintaining appropriate safeguards for the personal information at issue, and require service providers by contract to implement and maintain appropriate safeguards (and document such oversight in writing);

(vii) evaluate and adjust their information security programs to reflect the results of the testing and monitoring, relevant technology changes, material changes to operations or business arrangements, and any other circumstances that the institution knows or reasonably believes may have a material impact

Goals of Information Security Program

A financial institution’s information security program must be reasonably calculated to prevent the breach and misuse of client information that results in “substantial harm or inconvenience,” • “personal injury, or more than trivial financial loss,

expenditure of effort or loss of time.” • identify theft and extortion would likely cause “substantial

harm or inconvenience,” • inadvertent mis-delivery of an account statement would

not.

Expanded Coverage of Reg S-P’s Scope

SEC proposes to broaden the type of information and persons covered by the SEC safeguards and disposal rules.• SEC proposes to have both rules protect “personal

information,” which encompasses “nonpublic personal information” under the GLBA and “consumer report information” under the Fair and Accurate Credit Transactions Act of 2003.

• While “personal information” means personally identifiable financial information, “consumer report information” focuses on information generally contained in consumer reports.

Information Security Coordinator

Require firms of all sizes to designate an employee to coordinate the information security program.

Would have “sufficient authority and access to the institution’s managers, officers and directors to effectively implement the program and modify it as necessary.”

Many firms have no such individual – thus they would• Add duties to IT managers with no experience in security• Add duties to security personnel with no experience in IT• No option to “outsource” compliance through consulting

agreements• Difference between responsibility and expertise

Testing

Require every institution to regularly test or otherwise monitor the effectiveness of the safeguards.

Broker-dealers, Commission registered investment advisers and investment companies are already subject to rules that require testing of policies and procedures. • Broker-dealers must comply with FINRA Rule 3520 and

Commission Rules 38a-1 and 206(4)-7 which require investment companies and investment advisers, respectively, to conduct testing and an annual review of their policies and procedures that should include privacy and information safeguarding.

• Not clear if S-P requirements are supplemental or different

Third Party Providers

Financial institutions should ensure TSPs implement and maintain controls sufficient to appropriately mitigate risk.

In higher-risk relationships the institution by contract may• prescribe minimum control and reporting standards, • obtain the right to require changes to standards as external

and internal environments change, • obtain access to the TSP for institution or independent

third-party evaluations of the TSP’s performance against the standard.

In lower risk relationships the institution may prescribe the use of standardized reports, such as trust services reports or a Statement of Auditing Standards 70 (SAS 70) report.

Employee Information

in addition to nonpublic personal information and consumer report information of “consumers,” “personal information” also would include information identified with any employee, investor or security holder who is a natural person that is handled by the institution or maintained on the institution’s behalf.

covers employees rather than only clients of financial institutions, including employee user names and passwords, which, if compromised, could undermine the integrity of a financial institution’s information security system.

Explicit Coverage

The SEC safeguards rule would also apply to registered transfer agents in addition to the brokers, dealers, registered investment advisers, and investment companies.

However, registered broker-dealers, would be excluded from the safeguards rule

Disposal Rule

The SEC disposal rule would apply to “natural persons who are associated persons of a broker or dealer, supervised persons of a registered investment adviser, and associated persons of a registered transfer agent.”

The rule would continue to cover broker-dealers, investment companies, registered investment advisers and registered transfer agents.

Record-keeping.

creates record-keeping requirements for policies and procedures to comply with the proposed regulation, as well as documentation of compliance

Doesn’t say how detailed the records must beIncludes plans on how to complyWhy a particular plan or solution was chosenWhy it is appropriate to the size and complexity of the business,

and to the sensitivity of the data protectedWritten plans on privacy, security, training and incident

response.

Broker Mobility.

Exception allowing a broker who is changing firms to take limited personal information to the new firm in order to maintain relationships with clients

Is this a “disclosure” to the new firm?Can customer “opt out?” of this disclosure

Breach Notification

A financial institution would need to notify the affected individual and, potentially, the SEC in the event of a data security breach.

notify the affected individual when the institution becomes aware of unauthorized access to personal information and determines that misuse of personal information has occurred or is reasonably possible.

This “risk of harm” standard is similar to that used in the guidance relating to customer notification of security breaches issued by the bank regulatory agencies.

SEC would require notification to the SEC only when the breach poses a significant risk of substantial harm or inconvenience to a consumer or when someone has intentionally obtained “sensitive personal information,” such as a social security number.

Financial institutions must report the incident to the SEC on proposed Form SP-30.

Requires written procedures for responding to a data security breach

Breach Notification

If third party with Broker/Dealer information suffers breach, WHO has duty to notify?• Data Collector – has personal relationship with data

subject, and has the “contract” for privacy• Data Collector has presumably selected the third party to

share information• Who is the “owner” of the information?• Who has the “duty” to notify, whose expense, and who is

liable for inadequate or untimely notification

Federal Preemption

Financial institutions subject to the bank regulatory agency guidance providing notice of a security breach under that standard are exempt from the requirements of several of the numerous state data security breach notice laws.

Those financial institutions providing notice under the new SEC standard will now also be permitted under many state laws to provide notice to consumers under the federal standard rather than the different state standards.

For More Information

Mark D. RaschManaging Director, TechnologyFTI Consulting, Inc.Mark.Rasch@FTIConsulting.com(202) 312-9174